Re: [VOTE] Release Apache Tomcat Native 1.2.17

[Rainer Jung]

Am 07.06.2018 um 17:50 schrieb jean-frederic clere:
Version 1.2.17 includes the following changes compared to 1.2.16:
- Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3

Various other fixes and improvements. See the changelog for details.

The proposed release artefacts can be found at [1],
and the build was done using tag [2].

The Apache Tomcat Native 1.2.17 is
  [X] Stable, go ahead and release
  [ ] Broken because of ...

+1 to release, thanks for RMing.

2 remarks:

- when I extract the zip sources on Unix, I get all dirs and files with 
group write (!) permission. That sounds unsafe. It wasn't like that for 
1.2.16. I don't know on which platform and using which zip impl you 
created them, but many of those would reflect in the zip the permissions 
that the files had on your file system. Group write permissions is 
typically something we should avoid for security reasons.

- OpenSSL used according to VERSIONS file is 1.0.2m. I would suggest 
taking the latest patch level for release builds but did not check the 
changelog and history to see, whether there was a relevant change 
between 1.0.2m and 1.0.2o.

and one old remark:

- it seems to me that on Unix/Linux OCSP support is always active if 
OpenSSL supports it, but on Windows one needs to enable it. See 
"ENABLE_OCSP" in files native/BUILDING and native/NMAKEmakefile. Is that 
still the right thing to do, or should we simply distribute the ocsp 
enabled windows binary and drop the non-ocsp one? I can't judge by 
myself, but currently Windows and Unix/Linux build differ in their defaults.

Now for the test results:

- Tested with APR 1.6.3, OpenSSL 1.0.2o plus patches,
  and unit tests of TC 8.5 head
- Platforms Solaris 10 Sparc, SLES 11 and 12 64 Bit, RHEL 6 and 7 64 Bits
- configure flag "--enable-maintainer-mode"
- make with gcc 8.1.0 on Solaris and platform gcc on Linux
- Using Java version 1.8.0_172 64 Bit
  - Using "-XX:-UseCompressedClassPointers" on 64 Bit Linux
- SHA1 and MD5 OK
- signatures OK
- gz and zip for sources consistent
- source dist consistent with svn tag
- config.guess and config.sub from apr 1.6.3 (copied by buildconf)
  from last year (OK).
- VERSIONS says OpenSSL 1.0.2m and APR 1.6.3
  - more recent OpenSSL 1.0.2o might have been nice
- recreated release with jnirelease script, results are
  consistent with source dist, except for minor expected diffs in
  generated docs
- make succeeds and builds lib
  - no C warnings
- unit test results for TC
  - no failures

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org